Jump to content
UBot Underground

[Tutorial] How To Deal With Asp.Net Verification Tokens With HTTP Post


Recommended Posts

Some Asp.Net websites use a system that prevents other websites from performing actions on your behalf. Inside of the HTML, it generates a hidden token, and when you post your message, submit something, etc it sends your token to verify that. This can be tricky for the HTTP Post plugin because it requires a token each time. Without a token, it is impossible to use the HTTP post plugin on the website, and that's where I gave up before I did some more research.

 

  • Since the website gives the token to you in the HTML, you can easily use HTTP GET to download the webpage.
  • Once you download the webpage you can use regex to isolate the token.
  • After the token is isolated, you simply HTTP POST your newly found token.

 

http://i.gyazo.com/2fbd33570dcb1230a0ab370dca34b289.pngThat is what the code looks like from our browser's point of view. It's hidden, but it has a value. The regex: (?<=RequestVerificationToken\"\ type\=\"hidden\"\ value\=\")[a-zA-Z0-9-_]+(?=\") would isolate the token. 

__RequestVerificationToken=bgUgVEQgh0yFCZ5wrJ1eQJm7dch7_IMAK065xt1tHX9874IuF6Gwcp1aiFncmQainpWnkaGFJ587YmFQT9FywyT2Z5TFw9SLX4dlcyjNUQteDpI2tAvIkwPT4e-z2tqwj-jHDMD8ZrqdYeFgQgi5gfvZjJg1&id=1061227

If the token's value was bgUgVEQgh0yFCZ5wrJ1eQJm7dch7_IMAK065xt1tHX9874IuF6Gwcp1aiFncmQainpWnkaGFJ587YmFQT9FywyT2Z5TFw9SLX4dlcyjNUQteDpI2tAvIkwPT4e-z2tqwj-jHDMD8ZrqdYeFgQgi5gfvZjJg1 that is the POST.

 

 

http://www.asp.net/web-api/overview/security/preventing-cross-site-request-forgery-(csrf)-attacks

That link gives a good description for the webmaster's point of view.

 

 

 

If you have any questions (you probably will) feel free to ask!  :) If you don't deal with any Asp.Net websites, this is all new to you, but if you deal with some of the higher security sites, you may have had this issue.

  • Like 2
Link to post
Share on other sites
  • 8 months later...

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
×
×
  • Create New...